Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
- Role Role
- User
- Permission Permission
- Role
Now I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
My Question: Is it possible to send only the DN of a Permissions and tell the Server, that he/she need to extract the Role attributes and check in the DN of a user for those Roles? Can I Implement an overlay on the Server to manage this task or is it senseless to think about such a task for the server?
Greetings John
-- Johannes Fischer Wissenschaftlicher Angestellter
Fraunhofer-Institut für Produktionstechnik und Automatisierung IPA
Kompetenzzentrum Digitale Werkzeuge in der Produktion
Nobelstraße 12 │ 70569 Stuttgart Telefon +49 711 970-1217
johannes.fischer@ipa.fraunhofer.demailto:johannes.fischer@ipa.fraunhofer.de www.ipa.fraunhofer.dehttp://www.ipa.fraunhofer.de/
[cid:image002.png@01D0E168.63E7FA20]
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Fri, 28 Aug 2015 12:16:48 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
[...]
Check whether groupOfPermissions is loaded at all: ldapsearch -x -H ldap://localhost -b cn=subschema -s base + \ | grep -A2 'groupOfPermisssions'
and what is the syntax of permissionmember and member?
-Dieter
Hi Dieter,
It was a great idea to actual search for the objectClass on the server... The objectClass 'groupOfPermisssions' was already in my Doku but not on the server...
Shame on me
Thanks a lot.
JOhn -----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Dieter Klünter Gesendet: Freitag, 28. August 2015 15:24 An: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 12:16:48 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
[...]
Check whether groupOfPermissions is loaded at all: ldapsearch -x -H ldap://localhost -b cn=subschema -s base + \ | grep -A2 'groupOfPermisssions'
and what is the syntax of permissionmember and member?
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Hi again,
I did not get what I want to get. With the memberof overlay I get a structure like expected: User -memberOfGroup groupOfPermission - member - permission Permission -memberOfGroup
With every update of groupOfPermission the links to the User and Permission class are generated. So far so good
If I want to check if a user have some Permission, I still have to collect the memberOfGroup attributes from the Permission class. Then I am able to search for the corresponding link between user and permission: like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT it require two interactions with the server. This is a all-time problem, Is there a better solution with some magic LDAP overlay.
Greetings John
PS. We want a mapping of permission to User, this way a fine granular mapping of permissions to Groups to User is possible. At every time.
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter Klünter Cc: openldap-technical@openldap.org Betreff: AW: Permission management with LDAP
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Tue, 1 Sep 2015 06:21:34 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I did not get what I want to get. With the memberof overlay I get a structure like expected: User -memberOfGroup groupOfPermission
- member
- permission
Permission -memberOfGroup
With every update of groupOfPermission the links to the User and Permission class are generated. So far so good
If I want to check if a user have some Permission, I still have to collect the memberOfGroup attributes from the Permission class. Then I am able to search for the corresponding link between user and permission: like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT it require two interactions with the server. This is a all-time problem, Is there a better solution with some magic LDAP overlay.
PS. We want a mapping of permission to User, this way a fine granular mapping of permissions to Groups to User is possible. At every time.
you may test sets http://www.openldap.org/faq/data/cache/1133.html
If you do have some spare time in November, you may attend LDAP Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's paper on Security Access Control Engine is quite promising, and Michael Stroeder's paper on a users management system may give you some insights to your tasks.
-Dieter
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter Klünter Cc: openldap-technical@openldap.org Betreff: AW: Permission management with LDAP
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Dieter Klünter wrote:
you may test sets http://www.openldap.org/faq/data/cache/1133.html
But be warned that sets are damn slow!
Ciao, Michael.
Is there any other possibility to implement the wanted but without the set stuff.
At the moment we "only" design and test our system, so we are in the beginning of the process so we are able to implement everything.
Greetings John
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Michael Ströder Gesendet: Mittwoch, 2. September 2015 21:58 An: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Dieter Klünter wrote:
you may test sets http://www.openldap.org/faq/data/cache/1133.html
But be warned that sets are damn slow!
Ciao, Michael.
I have some trouble to realize a search, based on the set.
Just to get in touch with the syntax I've tried to return all member DNs listed in cn=admin with no result:
(& (cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com/member) (objectClass=*) )
When I try to add the "[]" a bad char error appear:
(& ([cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com]/member) (objectClass=*) )
Yesterday I've had the right search request, but then the phone rang and after 20minutes on the phone I couldn’t remember the search request.
Thank you for your help
John
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Dieter Klünter Gesendet: Dienstag, 1. September 2015 09:30 An: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Tue, 1 Sep 2015 06:21:34 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I did not get what I want to get. With the memberof overlay I get a structure like expected: User -memberOfGroup groupOfPermission
- member
- permission
Permission -memberOfGroup
With every update of groupOfPermission the links to the User and Permission class are generated. So far so good
If I want to check if a user have some Permission, I still have to collect the memberOfGroup attributes from the Permission class. Then I am able to search for the corresponding link between user and permission: like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT it require two interactions with the server. This is a all-time problem, Is there a better solution with some magic LDAP overlay.
PS. We want a mapping of permission to User, this way a fine granular mapping of permissions to Groups to User is possible. At every time.
you may test sets http://www.openldap.org/faq/data/cache/1133.html
If you do have some spare time in November, you may attend LDAP Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's paper on Security Access Control Engine is quite promising, and Michael Stroeder's paper on a users management system may give you some insights to your tasks.
-Dieter
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter Klünter Cc: openldap-technical@openldap.org Betreff: AW: Permission management with LDAP
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Sets are for access control only and used internally at the server!
And sets are very fast in my experience on indexed attributes!
Am 2015-09-03 08:38, schrieb Fischer, Johannes:
I have some trouble to realize a search, based on the set.
Just to get in touch with the syntax I've tried to return all member DNs listed in cn=admin with no result:
(& (cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com/member) (objectClass=*) )
When I try to add the "[]" a bad char error appear:
(& ([cn=admin,ou=groups,dc=vfk,dc=ldap,dc=com]/member) (objectClass=*) )
Yesterday I've had the right search request, but then the phone rang and after 20minutes on the phone I couldn’t remember the search request.
Thank you for your help
John
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Dieter Klünter Gesendet: Dienstag, 1. September 2015 09:30 An: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Tue, 1 Sep 2015 06:21:34 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I did not get what I want to get. With the memberof overlay I get a structure like expected: User -memberOfGroup groupOfPermission
- member
- permission
Permission -memberOfGroup
With every update of groupOfPermission the links to the User and Permission class are generated. So far so good
If I want to check if a user have some Permission, I still have to collect the memberOfGroup attributes from the Permission class. Then I am able to search for the corresponding link between user and permission: like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work BUT it require two interactions with the server. This is a all-time problem, Is there a better solution with some magic LDAP overlay.
PS. We want a mapping of permission to User, this way a fine granular mapping of permissions to Groups to User is possible. At every time.
you may test sets http://www.openldap.org/faq/data/cache/1133.html
If you do have some spare time in November, you may attend LDAP Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's paper on Security Access Control Engine is quite promising, and Michael Stroeder's paper on a users management system may give you some insights to your tasks.
-Dieter
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter Klünter Cc: openldap-technical@openldap.org Betreff: AW: Permission management with LDAP
Hi,
I've tried your idea. It worked well with groupOfNames. Then I've tried to implement the memberof overlay for a user specific objectClass: Dn: olcOverlay={1} objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: GroupOfPermissions olcMemberOfMemberAD: permissionMember olcMemberOfMemberOfAD: member
While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions "" The objectClass is available on the server and is a self created objectclass. Do I have to include some paths to announce the objectClass?
Greetings John
-----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Freitag, 28. August 2015 09:36 An: Fischer, Johannes Cc: openldap-technical@openldap.org Betreff: Re: Permission management with LDAP
Am Fri, 28 Aug 2015 06:06:06 +0000 schrieb "Fischer, Johannes" johannes.fischer@ipa.fraunhofer.de:
Hi again,
I didn’t want to do a thread high jacking so here a second mail with a complete other question
If I’have a structure like: User
RoleRole
UserPermissionPermission
RoleNow I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server
For this sort of tasks I use slapo-memberof(5) and a proper filter. Something like (&(uid=$1)(memberOf=myGroup))
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
openldap-technical@openldap.org
-
Dieter Klünter -
Fischer, Johannes -
Michael Ströder -
Uwe Werler